OpenSwan

Introduction

This guide provides information that can be used to configure OpenSwan to support IPsec VPN client connectivity. The Shrew Soft VPN Client has been reported to inter-operate correctly with OpenSwan.

Overview

The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. This is often called a roadwarrior scenario where a single clients is accessing the company network from different locations. We assume the following network configuration: The pool for the roadwarriors is 192.168.2.0/24. A single /24 (255.255.255.0) network. The internal company network is 192.168.0.0/24 where all of the servers reside. For example after establishing a vpn connection to our company network, we are able to access the fileserver on 192.168.0.15. We use SSL-certificates to authenticate the users and the server from the roadwarriors point of view. The big advantage of using ssl-certs is to be able to revoke them (declare them as invalid) if a user lost his computer or leave the company. We generate the Certification Authority itself and sign the certs with the CA afterwards. This can also be done by a free Certification Authority like CaCert.

Gateway Configuration

This example assumes you have already installed the OpenSwan packages, provided by your distribution vendor. The required package for the Debian operation-system is called openswan and can be installed either by using apt-get or aptitude.

OpenSwan Setup

  1. Get root access on the appropriate machine and install the package through the provided mechansim for your operation system.
  2. Setup the required certificates for the server, and the roadwarriors:
    1. Creating the CA (valid for 10 years)
      openssl req -x509 -days 3650 -newkey rsa:2048 \
-keyout /etc/ipsec.d/private/caKey.pem \
-out /etc/ipsec.d/cacerts/caCert.pem
    2. Creating a certification-request for our server or/and client: Openssl is fussy about a directory structure so we create it here:
      cd /etc/openssl/
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
echo "01" >> demoCA/serial

      Now the certification-request for our server: 

      openssl req -newkey rsa:1024 \
-keyout /etc/ipsec.d/private/serverKey.pem \
-out /etc/ipsec.d/private/serverReq.pem
    3. Signing the certification-request with our just created certification-authority (CA) (valid for 2 years) 
      openssl ca -in /etc/ipsec.d/private/serverReq.pem -days 730 \
-out /etc/ipsec.d/private/serverCert.pem -notext \
-cert /etc/ipsec.d/cacerts/caCert.pem \
-keyfile /etc/ipsec.d/private/caKey.pem
    4. Creating client-certs
      Hint: we create a p12 container which contains nearly all files for the clients: (we assume that you already created a client cert request and signed this by the CA like we explained at point 2.2) 
      openssl pkcs12 -export -inkey roadwarriorKey.pem \
-in raodwarriorCert.pem -certfile /etc/ipsec.d/cacerts/caCert.pem \
-out mikeroadwarrior-rw.p12

      we got a nice and handy .p12 file which can be integrated in shrew net vpn client for the clients through the import function.

Server Configuration

  • /etc/ipsec.conf:
    ipsec.conf
    config setup
# nat-t activation
nat_traversal=yes
# Debug activation
# plutodebug=control
# global settings
conn %default
# networksettings, timeouts...
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
# roadwarrior part
conn roadwarrior
# authy by cert
authby=rsasig
#
leftrsasigkey=%cert
rightrsasigkey=%cert
#
leftcert=serverCert.pem
auto=add
#
pfs=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
#
left=%defaultroute
#
leftsubnet=192.168.0.0/24
#
right=%any
#
rightsubnetwithin=192.168.2.0/24
#
keyingtries=3
# Oportunistic Encryption not active
include /etc/ipsec.d/examples/no_oe.conf
  • /etc/ipsec.secrets:
    1. serverKey.pem and „oursecretpassword” is the one we have specified at 2.2
      RSA serverKey.pemoursecretpassword

Client Configuration

Just take the stanza below and put it into a text file - import it afterwards with the shrew vpn client's import function: 

n:network-ike-port:500
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:30
n:network-dpd-enable:1
n:network-frag-enable:1
n:network-frag-size:1300
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:phase1-dhgroup:0
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-list-auto:0
n:phase1-keylen:0
n:phase2-keylen:0
s:network-natt-enable:enable
s:phase2-compress:none
s:policy-list-type:include
s:policy-entry-network:192.168.2.0 / 255.255.255.0
s:network-host:hostname.of.your.company.vpn.srv
s:client-auto-mode:pull
s:client-iface:virtual
s:client-ip-addr:192.168.2.23
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-wins-addr:0.0.0.0
s:client-dns-addr:0.0.0.0
s:auth-method:mutual-rsa
s:ident-client-type:asn1dn
s:ident-server-type:asn1dn
s:ident-client-data:C=DE, ST=Bavaria, O=test,CN=Mike/emailAddress=mike@test.net
s:ident-server-data:C=DE, ST=Bavaria, O=test,CN=vpn.test.net/emailAddress=vpn-server@test.net
s:auth-server-cert:mikeroadwarrior-rw.p12
s:auth-client-cert:mikeroadwarrior-rw.p12
s:auth-client-key:mikeroadwarrior-rw.p12
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-list-include:192.168.0.0 / 255.255.255.0

As we prepare the client configurations in this example, the client ip is predefined. The network settings can also be assigned by the server using the push/pull method.

Hints

s:ident-server-data must be the same as the output of: 

openssl x509 -in /etc/ipsec.d/cacerts/caCert.pem -noout -text |grep Subject

And s:ident-client-data have to be: 

openssl x509 -in raodwarriorCert.pem -noout -text | grep Subject

https://www.shrew.net/support/Howto_OpenSWAN